From nobody Wed May 15 07:27:39 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of groups.io designates
 66.175.222.108 as permitted sender) client-ip=66.175.222.108;
 envelope-from=bounce+27952+92544+1787277+3901457@groups.io;
 helo=mail02.groups.io;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)  smtp.mailfrom=bounce+27952+92544+1787277+3901457@groups.io
ARC-Seal: i=1; a=rsa-sha256; t=1660815283; cv=none;
	d=zohomail.com; s=zohoarc;
	b=e52VyEI5/AlCFo58A9TZPOOqXbV6aoH4qpj4r1oeb+t1KUEjeDmGGq+YQpzC0HKAp48j6S5ZLO9KxJv841a9U8tn43IIx648NesYtS7QXscGlyh6lA+Xbvkil9EHh+4xLfEXTCFICRARusLPtev7uO4duKD0HTCEixPBG32QLns=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1660815283;
 h=Content-Type:Cc:Date:From:In-Reply-To:List-Subscribe:List-Id:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:References:Sender:Subject:To;
	bh=g6udKqGG/t+f+tWwBS2rhAgxq9IFqo5Vf5Se+56N9u8=;
	b=fY/nEV0vWwOQC94uC3SikVmpwG8bKO2ZWtECTdo2jjqmtJYWABijEXUArWqLsxhqdBTXBLp+lKJhMvoc2JnyAYcdYqQxYtYF9M6LJM92eUvSjne9hFn/UiuTYDhLSn88c7DEl3RplJ2KX9ATggxIXYLBoIo2yJP8mxsgBuAdhXY=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of groups.io designates 66.175.222.108 as
 permitted sender)  smtp.mailfrom=bounce+27952+92544+1787277+3901457@groups.io
Received: from mail02.groups.io (mail02.groups.io [66.175.222.108]) by
 mx.zohomail.com
	with SMTPS id 16608152830131023.439696037077;
 Thu, 18 Aug 2022 02:34:43 -0700 (PDT)
Return-Path: <bounce+27952+92544+1787277+3901457@groups.io>
X-Received: by 127.0.0.2 with SMTP id YfdTYY1788612x7mEBuTw3xP;
 Thu, 18 Aug 2022 02:34:42 -0700
X-Received: from szxga08-in.huawei.com (szxga08-in.huawei.com
 [45.249.212.255])
 by mx.groups.io with SMTP id smtpd.web12.39871.1660815281552200545
 for <devel@edk2.groups.io>;
 Thu, 18 Aug 2022 02:34:41 -0700
X-Received: from dggemv711-chm.china.huawei.com (unknown [172.30.72.55])
	by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4M7flT1zd2z1N7JQ;
	Thu, 18 Aug 2022 17:31:17 +0800 (CST)
X-Received: from kwepemm600004.china.huawei.com (7.193.23.242) by
 dggemv711-chm.china.huawei.com (10.1.198.66) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Thu, 18 Aug 2022 17:34:39 +0800
X-Received: from kwephisprg16640.huawei.com (10.247.83.252) by
 kwepemm600004.china.huawei.com (7.193.23.242) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.24; Thu, 18 Aug 2022 17:34:38 +0800
From: "wenyi,xie via groups.io" <xiewenyi2=huawei.com@groups.io>
To: <devel@edk2.groups.io>, <jian.j.wang@intel.com>,
	<gaoliming@byosoft.com.cn>, <eric.dong@intel.com>, <ray.ni@intel.com>
CC: <songdongkuang@huawei.com>, <xiewenyi2@huawei.com>
Subject: [edk2-devel] [PATCH EDK2 v2 1/1] MdeModulePkg/PiSmmCore:Avoid
 overflow risk
Date: Thu, 18 Aug 2022 17:34:33 +0800
Message-ID: <20220818093433.2609170-2-xiewenyi2@huawei.com>
In-Reply-To: <20220818093433.2609170-1-xiewenyi2@huawei.com>
References: <20220818093433.2609170-1-xiewenyi2@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.247.83.252]
X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To
 kwepemm600004.china.huawei.com (7.193.23.242)
X-CFilter-Loop: Reflected
Precedence: Bulk
List-Unsubscribe: <mailto:devel+unsubscribe@edk2.groups.io>
List-Subscribe: <mailto:devel+subscribe@edk2.groups.io>
List-Help: <mailto:devel+help@edk2.groups.io>
Sender: devel@edk2.groups.io
List-Id: <devel.edk2.groups.io>
Mailing-List: list devel@edk2.groups.io; contact devel+owner@edk2.groups.io
Reply-To: devel@edk2.groups.io,xiewenyi2@huawei.com
X-Gm-Message-State: nMdWzHx5Xs9yWnkZ2hNXXtnix1787277AA=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=groups.io;
 q=dns/txt; s=20140610; t=1660815282;
 bh=q68a9TEVRx/LVKuBDGJlEbvogR9hti2BHVfW0Yn4nzA=;
 h=CC:Content-Type:Date:From:Reply-To:Subject:To;
 b=V9Yk9i0Ja6kTFW6pydYXBJDIB2npd4lc7QPSdHk3843ulCj0/5PizmMjlr22bRra5Dm
 TCLJ9kLp+9I473kLqIC7dFDSQygQzNqixyJ8/A1NIDxrjr+7K3GhokwgG2PeyCgsXgZoN
 cs9eXfB6qmMprYTggTh2x4YJrT/4TEECoOM=
X-ZohoMail-DKIM: pass (identity @groups.io)
X-ZM-MESSAGEID: 1660815284912100003
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

As the CommunicationBuffer plus BufferSize may overflow, check the
value first before using.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Liming Gao <gaoliming@byosoft.com.cn>
Cc: Eric Dong <eric.dong@intel.com>
Cc: Ray Ni <ray.ni@intel.com>
Signed-off-by: Wenyi Xie <xiewenyi2@huawei.com>
---
 MdeModulePkg/Core/PiSmmCore/PiSmmCore.c | 10 +++++++++-
 MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c  |  4 ++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c b/MdeModulePkg/Core/Pi=
SmmCore/PiSmmCore.c
index 9e5c6cbe33dd..003db3b85802 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmCore.c
@@ -621,6 +621,14 @@ InternalIsBufferOverlapped (
   IN UINTN  Size2
   )
 {
+  //
+  // If integer overflow when adding Buff1 to Size1, treat it as Overlap.
+  // Also, if integer overflow when adding Buff2 to Size2, treat it as Ove=
rlap.
+  //
+  if (((UINTN)Buff1 > MAX_UINTN - Size1) || ((UINTN)Buff2 > MAX_UINTN - Si=
ze2)) {
+    return TRUE;
+  }
+
   //
   // If buff1's end is less than the start of buff2, then it's ok.
   // Also, if buff1's start is beyond buff2's end, then it's ok.
@@ -703,7 +711,7 @@ SmmEntryPoint (
         //
         // If CommunicationBuffer is not in valid address scope,
         // or there is overlap between gSmmCorePrivate and CommunicationBu=
ffer,
-        // return EFI_INVALID_PARAMETER
+        // return EFI_ACCESS_DENIED
         //
         gSmmCorePrivate->CommunicationBuffer =3D NULL;
         gSmmCorePrivate->ReturnStatus        =3D EFI_ACCESS_DENIED;
diff --git a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c b/MdeModulePkg/Core/PiS=
mmCore/PiSmmIpl.c
index 4f00cebaf5ed..78df802fe748 100644
--- a/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
+++ b/MdeModulePkg/Core/PiSmmCore/PiSmmIpl.c
@@ -526,6 +526,10 @@ SmmCommunicationCommunicate (
   CommunicateHeader =3D (EFI_SMM_COMMUNICATE_HEADER *)CommBuffer;
=20
   if (CommSize =3D=3D NULL) {
+    if (CommunicateHeader->MessageLength > MAX_UINTN - OFFSET_OF (EFI_SMM_=
COMMUNICATE_HEADER, Data)) {
+      return EFI_INVALID_PARAMETER;
+    }
+
     TempCommSize =3D OFFSET_OF (EFI_SMM_COMMUNICATE_HEADER, Data) + Commun=
icateHeader->MessageLength;
   } else {
     TempCommSize =3D *CommSize;
--=20
2.20.1.windows.1



-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-
Groups.io Links: You receive all messages sent to this group.
View/Reply Online (#92544): https://edk2.groups.io/g/devel/message/92544
Mute This Topic: https://groups.io/mt/93034134/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub [importer@patchew.org]
-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-